First thing to know, the rules apply in order of appearance and exit if there is a match. So, if we have a rule that reject ssh connections then after another rules allowing ssh then once the reject rule is reached, the packets exit and apply the reject rule but never reached the accept rule.
So with that in mind, we can edit iptables rules.

NoteThe number append after the name's chain. As we say that we insert the rule at the top, we must insert it before the first. So, you want to insert this rules before the third rule you as to change this number to 3. Simple isn't it!

Replace a rule

For the next, we replace a rules already existing. The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :

Now, we can imagine to automatize startup and stop of iptables based on a dump file restored and saved. This mechanism already exists, this what is going on when you start and stop the iptables service. At each stop of service, it saves the current state of iptables rules set on a file and each stop it restores this file.
And this file is :

/etc/sysconfig/iptables

for IPv4

/etc/sysconfig/ip6tables

for IPv6

So, if you prefer, you can edit this file and restart the iptables service to commit the changes. The format is pretty the same than iptables command :

# Generated by iptables-save v1.4.12 on Wed Dec 7 20:22:39 2011
*filter <--------------------------------------------------------- Specify the table of the next rules
:INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain
:FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for
:OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.
-A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments
-A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
# Completed on Wed Dec 7 20:22:39 2011

TUI/semi graphical

There is two ways for managing iptables rules with textual interface, by setup and system-config-firewall-tui. When in the first choice you need to select firewall configuration and then edit rules, the second will bring directly to the edition of rules.
So, with setup, select Firewall configuration :

On the next screen, we leave Firewall enabled or we activate it if it wasn't enabled. Then we go on Customize :

There is high chance that your service is part of the list of trusted services. This is basic activation of some standards services. Select what is needed and go Forward :

NoteTrusted Services just open the port. It doesn't allow you to specify allowed sources or destination

Now Edit other allowed ports :

Select the trusted interfaces. These interfaces will become open face of network, all traffic will be allowed and the precedents rules will never match. So select an interface that face of a private network and never an interface that have to directly deal with internet.

Select interfaces to be masqueraded. Masquerading is better known as NAT (Network Address Translation), it is useful by example when your Fedora computer is used as gateway to access the internet :

Port forwarding is also known as PAT permit to reroute traffic from a port to another port

You can define ICMP behaviour of your fedora. By default, no limitations are made but you can define rules to reject ICMP traffic, define the return error to an ICMP request, etc.

Finally, you can define some custom rules. But you need to edit a file before containing your custom rules with same format than the iptables file, but without specifying the table of iptables used.

For adding custom rules you have specify the protocol between ipv4 or ipv6 and on what table add the custom rules filter, mangle or nat then the path to the file containing rules to add :

When it's done, you can Close the interface and this bring you and first screen of firewall configuration. Select OK and you have a warning appear :

Select Yes if the configuration that you made fits to you and exit interface, or No for came back to the firewall configuration screen.

Good to knowThe configuration is saved in the file /etc/sysconfig/system-config-firewall but when click Apply file /etc/sysconfig/iptables is overwritten. So take care to use one and keep it, or keep in mind that to not be surprised.

GUI

GUI interface allow you exactly the same thing that TUI interface, but it is more friendly usable.

First time you start GUI, you have a welcome message that warning you that if you have existing manual rules then this rules will be overwritten.

Before all, you need to Enable your firewall to use Firewall Configuration utility.

Then utility warn you that you don't have any existing configuration and want you execute the wizard. Click on Start wizard:

Click on forward :

System with network access enable Firewall and System without network access disable Firewall, so select System with network access :

Beginner allow you to modify only Trusted Services, it's fine if you use only known services like ftp, dns, http, etc but don't allow you to configure customs ports range, select Expert to have full featured Firewall Configuration utility, you can change this option later in the Options menu Main windows, in User Skill Level :

Now you can configure your firewall. As described earlier Desktop template enable 4 services IPsec, mDNS, IPP and SSH. If you have services listed in Trusted Services section that you want to enabled, you just have to click on it, that's all.
You can change template by using the Options menu, in Load Default Configuration.

Other Ports allow you to edit custom rules if your service port wasn't in Trusted service. To begin, just click on Add button. Then you have two choices, either you choose in services list the right service or you tick User Defined and fill requested information about Port / Port Range and Protocol.

'Trusted Interfaces, Masquerading, Port Forwarding, ICMP Filter and Custom Rules have exactly the same effect than in TUI interface.

When configuration fits to you, just clic on the Apply button.

Good to knowThe configuration is saved in the file /etc/sysconfig/system-config-firewall but when click Apply file /etc/sysconfig/iptables is overwritten. So take care to use one and keep it, or keep in mind that to not be surprised.